User profile for user: David McMillan
David McMillan Author
User level: Level 2
405 points

Remote SSH access via internet

I'd like to make SSH access to a Mac in China. The Mac is currently on a PC network with ports 407 and 5900 directed to it's local IP address. I have engaged remote login in Sharing panel.

Any advice would be appreciated.

G5/dual 2ghz/2.5gb RAM, Mac OS X (10.4.11)

Posted on Jan 20, 2008 3:19 AM

Reply
21 replies
User profile for user: foilpan
foilpan
User level: Level 4
1,385 points

Jan 24, 2008 9:07 AM in response to David McMillan

j.v. mentions some good points you should also consider.

a static ip isn't necessary, though it's convenient.

what i do most of the time for client servers is the following:

- use hosts.deny to deny all for ssh
- use hosts.allow to allow just ssh access from a few known-safe hostnames (home, office)
- disable password logins
- allow key authentication
- (when possible) change the listening port

with all of those, you should be relatively safe. as j.v. suggests, you can also tunnel 5900 over ssh to further secure your access.
Reply
User profile for user: Gnarlodious
Gnarlodious
User level: Level 4
3,313 points

Jan 24, 2008 9:18 AM in response to David McMillan

You would need to add the file to the /etc/ folder, it then kicks into action automatically. Other useful files that may reside there are hosts.deny and hosts.equiv

It's important to block holes because hackers find an open machine and flood the ports from every direction trying to break in. Plug the holes and they soon give up and you find your internet a whole lot faster.

You really need to examine your secure.log to see who is trying to break into your server, and what usernames they are trying.
Reply
User profile for user: Gnarlodious
Gnarlodious
User level: Level 4
3,313 points

Jan 24, 2008 11:47 AM in response to David McMillan

If you and only you are connecting from known ISPs, there is really no reason to explicitly deny access from certain IPs. If you had a pool of users who used various ISPs, you may find it useful to block known attackers.

A good idea is to set yourself a "back door" of a known server you SSH to. If you ever find yourself locked out of your server, you can SSH from a known machine to set the hosts.allow to let yourself in.

I have never needed to use hosts.equiv, but I believe it lists trusted hostnames. Try to not get to complex unless your security needs it.


My allowed connections look like this:
ALL : localhost
ALL : 127.0.0.1
ALL : 192.168.
ALL : 172.16.
ALL : .hlrn.qwest.net

sshd : <known server IP, I'm not saying>
ALL : .phndaz91.dynamic.covad.net
ALL : .hsd1.nm.comcast.net
# RCN New York:
ALL : 207.237.
Reply
User profile for user: Cole Tierney
Cole Tierney
User level: Level 4
1,380 points

Jan 25, 2008 11:18 AM in response to j.v.

{quote:title=j.v. wrote}Personally, I really like tunneling everything through ssh because I gain comfort knowing that most eavesdroppers can't glean any intelligence from any intercepted traffic, and because I like public key authentication, which you can do with ssh, way better than username/password authentication; the former I believe to be way superior in preventing break-ins.{quote}

Here's another vote for turning off pasword authentication:
http://www.cpanel.net/security/notes/randomjstoolkit.html
A new exploit is going around that uses password authentication even when using non-standard ssh ports. Strong passwords are broken with no sign of brute force. They believe a database of root passwords has been compromised. To make a long story short:
systems with password authentication off have not been affected

--
Cole
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Remote SSH access via internet

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up